The X Supervisor Extension

...making X forwarding over OpenSSH safer.

Introduction

The X Supervisor extension provides a new security model for the X
Windowing System, mostly based on the already existing model of the X
Security extension. Using the X Supervisor extension it is possible
to run untrusted X clients within a highly-configurable sandbox, and
to do it in a convenient way. In the rationale
it is shown that, in some cases (e.g. when using OpenSSH X11 fowarding
or other tunnelling tools), the use of some sort of sandbox is
mandatory if we care about security.

This extension has the following goals:

Security: the sandbox should stop all nasty
operations

Convenience/Compatibility: current well-behaving
applications should still run

Flexibility/Configurability: the user should be
able to decide the policy, which should not be imposed by the system

Performance: the sandbox overhead should be low

It is not difficult to see that these goals are contradictory and
therefore can not be achieved simultaneously. For instance, security
conflicts with convenience, and flexibility conflicts with
performance. This extension should aim to reach a reasonable
compromise among these goals.

Specification

Implementation

A sample implementation of the extension is provided as a patch to the
popular XFree86 X server. A primitive supervisor client and a
patch to OpenSSH are also being developed. See the
installing instructions for further
information about how to use the sample implementation.

License

Unless otherwise specified, all the code is licensed under this MIT-style license. The OpenSSH patch
is released under the BSD-style license used by OpenSSH.

Screenshots

Since this is an X protocol extension and not an X application, there
are no screenshots. There are, however, some images of a
proof-of-concept application that uses the extension is the rationale section.